| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20091027004932.GH3780@zip.com.au>
Date: Tue, 27 Oct 2009 11:49:32 +1100
From: CaT <cat@....com.au>
To: Dan Yefimov <dan@...htwave.net.ru>
Cc: nomail@...ail.com, bugtraq@...urityfocus.com
Subject: Re: /proc filesystem allows bypassing directory permissions on
Linux
On Tue, Oct 27, 2009 at 12:29:09AM +0300, Dan Yefimov wrote:
> and testing them. Remember the scenario from the original mail and try
> finding a window, during which creating a hardlink would still work thus
> evading directory permissions check.
The main thing this does is allow a hardlink-like attack to work across
mountpoints afaics.
Instead of making hardlink you run something that keeps an fd open to the
file.
That said, I don't see how this is a vuln in /proc. Can you not have your
little program seek back to the beginning and re-read the file in order
to track changes?
You can't actually use /proc/*/fd to gain access to files opened by
processes you do not own. Only ones you do (at least in a mainline kernel)
which is fair enough. This means that you can't have user a open a file
owned by user b and then let user c have access to it via /proc/$pid/fd.
Or am I misreading/misunderstanding something? I've not tested all of the
above (no time). Just going off remembered experience.
--
"A search of his car uncovered pornography, a homemade sex aid, women's
stockings and a Jack Russell terrier."
- http://www.news.com.au/story/0%2C27574%2C24675808-421%2C00.html
Powered by blists - more mailing lists